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ABSTRACT 



A communication system comprising multiple terminal 
equipment (1), each consisting of a terminal (4) cooperating 
with a microprocessor-driven user card (SIM module; 5). 
Each user card includes data memory (8) comprising a 
plurality of objects and serving as medium to at least two 
separate applications, the user card comprising a micropro- 
cessor (6) and ROM (7) for executing instructions pertaining 
to the applications. Each object contained in the user card 
data memory is associated with a first defined access control 
policy by a set of first access conditions. Each object is also 
associated with at least another access control policy defined 
by a set of at least one alternative access condition. Each 
alternative access condition is applicable, for the object, to 
group of at least on instruction pertaining to the application 
(s) using the other defined access control policy. Each object 
is also associated with a plurality of access control policy 
indicators each indicating, for one of the applications, which 
access control policy to use with the application, the control 
access policy indicators being stored in the data memory (8). 

22 Claims, 5 Drawing Sheets 
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COMMUNICATION SYSTEM FOR 
MANAGING SAFELY AND INDEPENDENTLY 
A PLURALITY OF APPLICATIONS BY EACH 
USER CARD AND CORRESPONDING USER 
CARD AND MANAGEMENT METHOD 

BACKGROUND OF THE INVENTION 

The field of the invention is that of systems communi- 
cating with terminal devices, each being a terminal cooper- 
ating with a microprocessor-driven user card. 

The invention applies in particular, but not exclusively, to 
the case of a cellular communications system with mobile 
stations, each being a terminal cooperating with a user card 
called a Subscriber Identity Module (or SIM module). 

The invention also applies, once again not exclusively, to 
the case of a communications system with pay stations, each 
being a bank terminal cooperating with a payment card. 

More specifically, the invention relates to a communica- 
tions system for secured, independent management of a 
plurality of applications by each user card. The invention 
also relates to a user card and a corresponding management 
method. 

DESCRIPTION OF THE RELATED ACT 

The disadvantages of known communications systems are 
presented below using the example of a cellular communi- 
cations system. It is clear, however, that the invention is not 
limited to this type of system, but relates more generally to 
any communications system in which a user card, designed 
to cooperate with a terminal, supports several applications. 

In the field of cellular communications, the GSM standard 
("Global System for Mobile communications operating in 
the 900 MHz band") is known, primarily in Europe. 

The invention applies in particular, but not exclusively, to 
a system according to this GSM standard. More generally, it 
is applicable to all systems in which each user card can 
manage at least two separate applications. 

In the case of a cellular communications system, a ter- 
minal is a piece of physical equipment used by a network 
user to access the telecommunication services offered. There 
are different types of terminals such as portables, or mobiles 
mounted on vehicles. 

When a terminal is used by a user, the latter must connect 
his user card (SIM module), which is generally in the form 
of a smart card, to the terminal. 

The user card supports a principal telephone application 
(for example the GSM application) which allows it, as well 
as the terminal to which it is connected in the cellular 
communications system, to operate. In particular, the user 
card provides the terminal with which it is connected with a 
unique subscriber identifier (or IMSI identifier, standing for 
"International Mobile Subscriber Identity"). For this 
purpose, the user card includes command execution means 
(for example a microprocessor and a program memory) and 
data storage means (for example a data storage). 

The IMSI identifier, as well as all the individual infor- 
mation about the subscriber, to be used by the terminal, are 
stored in the data storage means of the SIM module. This 
enables each terminal to be used with any SIM module. 

In certain known systems, particularly in a GSM system, 
there is a short message service (SMS) for sending short 
messages to mobile stations. These messages are transmitted 
by a short message service center (SMS-C). 

When a mobile station receives a short message, it stores 
it in the data storage means of its SIM module. The principal 
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telephone application of each SIM module [*] to handle 
each short message received. 

Originally, the only function of a short message was to 
provide information to the subscriber, generally via a ter- 

5 minal display screen. The short messages, known as normal 
short messages, that fulfilled this single function thus con- 
tain only raw data. Subsequently, an enhanced short message 
system (ESMS) was designed in which two types of short 
messages could be sent, namely the normal short messages 

10 referred to above and enhanced short messages which could 
contain commands. 

Thus, European patent EP 562 890, for example, proposes 
transmitting commands enabling this SIM module to be 
updated or reconfigured remotely, to an SIM module, by 

15 means of enhanced short messages. In other words, com- 
mands embedded in enhanced short messages modify the 
principal telephone application of the SIM module. 

It has also been proposed that the SIM module serve to 
support applications other than the principal telephone 

20 application, such as in particular automobile leasing, 
payment, or customer loyalty. 

Since the commands belonging to these other applications 
are contained in enhanced short messages, which are accord- 
ingly outside the SIM module, these other applications are 

25 known as "remote" or "remote." On the other hand, the 
principal telephone application, whose commands are con- 
tained in the data storage means of the SIM module, is 
known as "local." The commands are also known as "local" 
or "remote" depending on whether the application to which 

30 they belong is itself local or remote. 

Patent PCT/GB/9401295 describes for example an SIM 
module supporting the following remote applications: 
updating telephone numbers remotely, renting (a vehicle or 
hotel room in particular), and payment. Each message 

35 includes a data follow-up command. For example, the 
following four types of remote commands (of 255 possible 
commands) are presented: 

Write commands, for storing data contained in the messages 
received in the SIM module, from a specified memory 
40 location; 

Read commands, for reading data into the SIM module, 
from a specified memory location, the data read being 
placed in messages going to outside callers; 

Lock/unlock commands authorizing or prohibiting writing 
45 and reading of specified memory locations in the SIM 
module; 

Run program commands, for running a program stored in the 
SIM module. 

With these remote commands, one can thus execute 
50 remote appli cations ( leasin g, pa ymen t, reconfigu ration of 
princi pal^lephon ?application , etc.). One can aisoTdd~new 
functionalities to the SIM module. Thus, the SIM module 
can become a multi-service card with, for example, the 
features of a cre'drr^ara, IT p5Kf)ort, a driving license, a 
55 member card, etc. 

It is clear that this recent multi-application concept of the 
SIM module is highly advantageous for the subscriber. The 
latter can now very simply carry out numerous transactions 
such as renting an automobile and paying for a service 
60 simply with a terminal into which his SIM module is 
inserted. 

On the other hand, this recent multi-application concept 
of the SIM module, as currently implemented, has the major 
drawback of not independently managing each of the 
65 applications, local or remote. Indeed, in all systems known 
to date, the data storage files of the SIM module are 
accessible in the same manner by all the applications. 
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Thus, in the aforementioned patent, PCT/GB/9401295, one command belonging to the application or applications 
access to certain memory locations by a command is always using this first control access policy, 
authorized, while access to other memory locations by a characterized in that each object is also associated with at 
command may be either authorized or refused. However, least one other access control policy, each other control 
whatever the memory location concerned, accessibility by a 5 access policy being defined by a set of at least one 
command does not depend in any way whatever on the alternative access condition, each alternative access con- 
application to which this command belongs. dition of another given access control policy applying, for 

Likewise, in current GSM specifications (particularly this object, to a group of at least one command belonging 

specification GSM 11.11), no difference is made between t0 the application or applications using this other given 

applications in terms of access conditions to the files con- 10 j 0 . 06 ?? control policy, 

tailing the SIM module data. Each file has its own standard V? i 1 ^ " V ' P ? °f 

^ & .. .... jjcju . c access control policy indicators, each access control 

access control policy which is umoue and defined by a set of policy indicator indicating, for these applications, which 

standard access conditions, and each of these standard access control rx)licy, namely the first or another, is to be 

access conditions applies to a separate command for this file. ^ ^ this applica t ion , these access control policy 

Each standard access condition can have various values such is indicators being stored in this data storage means, 

as for example "ALWAYS" (access always authorized), general principle of the invention is thus constituted 

"CHV1" or "CHV2" (cardholder verification), and of: 

"NEVER" (access never authorized). But none of these associating one or more access control policies with each 

values is designed to link access to the file to the identity of object (which is a file for example) in addition to the first 

the application to which the command requesting this access 20 access control policy (known in certain cases as 

belongs, "standard"); and 

This absence of file access control as a function of for each object, indicating the access control policy (first or 

application is unsatisfactory from the standpoint of security. other) to be used with each application. 

This means that all remote applications supported by the Thus, access to the object (by a command) need not be 

data storage means of a given SIM module can access all the 25 identical to all the applications. For each application, access 

files in these data storage means. Thus there is nothing to of its various commands to an object is defined by the 

prevent data relating to one of these remote applications special access control policies that are associated with it for 

from being read or even modified by another of these remote this object. 

applications. It clearly emerges from the foregoing that each Advantageously, for each object, at least one other access 

remote application does not have sufficient security and 30 control policy is specific to one of the applications, each 

confidentiality for its own data stored in the SIM module. alternative access condition of this other specific access 

control policy applying, for this object, to a group of at least 

BRIEF SUMMARY OF THE INVENTION one com mand belonging to the single application using this 

The particular goal of the invention is to overcome this otncr specific access control policy, 

major drawback of the prior art. 35 Advantageously, for each object, at least one other access 

More specifically, one of the objectives of the present contro1 P olic y 15 ^ com *on to at least two applications, 

invention is to provide a communication system each alternative access condition of this other fully common 

(particularly but not exclusively a cellular communications access 0001101 P ohc y Maying, for this object, to a group of 

system) in which each user card can securely and indepen- al least one command belonging to these at least two 

dently manage a plurality of applications. 40 ^cations using this other fully common access control 

In other words, one of the objectives of the invention is to aZ\ ♦ ~ i f u u- * « i * *u 

„ . ,.' . , 4 . Advantageously, for each object, al least one other access 

enable each application vendor to prevent applications other . , & r . # . 

t , / r . , \ 4 /c control policy is partially common to at least two 

than its own from accessing at least some of the objects (for V t 

example files) of the user card which support his application. Ae ca 10ns ' 

9 . rr 1 r 45 whereby some of the alternative access conditions of this 

Another objective of the invention is to update (or other partially common access control policy applies, for 

reconfigure) user card objects which support the various tnis o5jeclj t0 a of at , eas , one command belonging 

applications, while ensuring that these applications continue to tQese at kast tWQ applications ^ lhis other common 

to be managed in a secure and independent fashion. access control policy, 

An additional objective of the invention is to allow remote 50 an d whereby others of the alternative access conditions of 

creation of a new application which, like the existing tn i s other partially common access control policy apply, 

applications, is supported by objects that it alone is able to f or this object, to a group of at least one command 

access, in the case of some of them at least. belonging solely to one of these at least two applications 

These various objectives, and others which will appear using this other common access control policy, 

below, are achieved according to the invention by means of 55 Thus, for each object, each application can: 

a communications system of the type having in particular a either have its own set of alternative access conditions; 

plurality of terminal devices, each being a terminal cooper- or share its entire set of alternative access conditions with 

ating with a microprocessor user card, one or more other applications, 

each user card including data storage means including a or share only some of its set of alternative access conditions 

plurality of objects, this data storage means serving to 60 with one or more other applications, 

support at least two different applications, this user card In the simplest case, each object is associated both with 

including means for executing commands belonging to the first access control policy and with another unique access 

these applications, control policy. The latter is defined by a single access 

each object included in the data storage means of a user card condition, applied in a common manner to all the application 

being associated with a first access control policy defined 65 commands using it. 

by a set of first access conditions, each of these first access In the most complex case, each object is associated both 

conditions applying, for this object, to a group of at least with the first access control policy and with as many other 
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different access control policies as there are applications. 
Each of these other access control policies is defined by a 
plurality of different access conditions, each of which 
applies to one or more of the commands belonging to this 
other access control policy. 

In a particular embodiment of the system according to the 
invention, of the type allowing cellular communications, the 
plurality of terminal devices is a plurality of mobile stations, 
the user cards being subscriber identity modules. 

In the particular case of a cellular communications 
system, the plurality of applications supported by the storage 
means of the user card includes for example the principal 
telephone application (for example the GSM application), 
and: 

either at least one remote application (for example automo- 
bile leasing, payment, or loyalty) whose commands are 
supplied from the outside to the command execution 
means of the user card (for example via enhanced short 
messages); and* 

or at least one other local application whose commands are 
supplied internally to the command execution means of 
the user card (for example from a ROM program memory 
of this user card). 

It should be noted that the first situation is more frequent 
than the second because a user card generally supports only 
one local application, namely the principal telephone appli- 
cation. However, the second situation may also be contem- 
plated. 

Thus, according to the invention, in the particular case of 
a cellular communications system, each user card can man- 
age all or some of the applications it supports in a secure 
way. 

In one advantageous embodiment of the invention, the 
system is of the type also including at least one message 
service center, 

the data storage means of a user card serving to support at 
least one local application and at least one remote appli- 
cation of the user card, the commands being termed 
"local" when they belong to the local application or 
"remote" when they belong to the remote application, 

each terminal being able to receive messages of the normal 
or enhanced type transmitted by the message service 
center, each user card including means for storing and 
processing messages received by the terminal with which 
it cooperates, 

whereby the normal messages containing raw data constitute 
information to be furnished to the subscriber by means of, 
in particular, a terminal display screen, with the enhanced 
messages containing remote commands, 

the system is characterized in that the data storage means of 
each user card also store a list of authorized remote 
applications, 

and in that each user card also includes enhanced message 
discrimination means enabling each enhanced message 
containing remote commands not belonging to one of the 
authorized remote applications to be blocked. 
Thus the user card detects whether the remote application 
transmitting the enhanced message is authorized to access 
this user card. This discrimination operation constitutes an 
additional security level for access by the commands to the 
data storage of the user card. 

The normal or enhanced messages are for example short 
messages according to the GSM vocabulary. 

Preferably, the data storage means of each user card also 
store, for each of the authorized remote applications, a secret 
reference and an associated message authentication mode, 
and each user card also includes discriminated enhanced 
message authentication means enabling a discriminated 
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enhanced message to be authenticated using the secret 
reference and the message authentication mode 
associated, in the data storage means, with the authorized 
remote application to which the commands contained in 
5 the discriminated enhanced message belong. 

In other words, a user card authenticates each enhanced 
message discriminated according to the authentication mode 
and secret reference associated with the application trans- 
mitting this message. This authentication operation consti- 
10 tutes yet another additional security level for access by the 
commands to the data storage of the user card. 

Advantageously, for each object, the, or at least one of the, 
other access control policies, known as second access con- 
trol policy, is defined by a set of at least one special 
is alternative access condition, each special alternative access 
condition being able to assume in particular the following 
values: 

"no access": if the object is not accessible by any command 

in the group of at least one command to which the special 
20 alternative access condition applies; 

"private 300685": if the object is accessible only by the 

commands belonging to a single predetermined 

application, among the group of at least one command to 

which the special alternative access condition applies; 
25 "shared access": if the object is accessible by the commands 

belonging to at least two predetermined applications, 

within the group of at least one command to which the 

special alternative access condition applies. 

In one particular embodiment of the invention, for each 
30 object, at least one other access control policy, known as 
remote access control policy, is defined by a set of at least 
one remote access conditions, each remote access condition 
applying, for this object, to a group of at least one remote 
command belonging to the remote application or applica- 
35 tions using the remote access control policy, 

and for each object, only the access control policy indicators 

each associated with one of the remote applications is able 

to indicate the remote access control policy. 

In this particular embodiment, the access of each object to 
40 each remote application can be either authorized or 
prohibited, provided, of course, that the remote access 
control policy is the one that actually should be used with 
this remote application. 

For each object, the following may be provided: 
45 either a separate remote access control policy for each 

separate application; 
or the same remote access control policy for at least some of 

the remote application (or for all of them). 

It should be noted that, with the exception of the first 
50 access control policy, the single access control policy or all 
the other access control policies are remote access control 
policies while the first access control policy must necessarily 
be used with the local application or applications. 

Advantageously, for each object, each remote access 
55 condition can assume the same values as the special alter- 
native access conditions. 

Thus it is possible to partition the data storage of the user 
card between the various remote applications. Some objects 
can be rendered accessible: 
60 either ("no access") by any remote command, whatever the 

remote application to which this remote command 

belongs; 

or ("private access") only by all or some of the commands 
belonging to one unique remote application, known as the 
65 parent application of this object; 

or ("shared access") by all or some of the commands 
belonging to certain specific remote applications. 
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In this way, all the objects with a private access linked to Advantageously, the predetermined search strategy in the 

one and the same remote application constitute a secured, data storage means is a backtracking search mechanism 

sealed barrier specific to this parent application and inac- which looks to see whether an elementary system file exists 

cessible to the other applications. The vendor of a given under the specialized file or master file indicated by this 

remote application is thus assured that distant applications 5 identifier and, if not, and if the identifier does not indicate 

other than his own cannot access the secured area assigned the master file, looks to see whether an elementary system 

to him. file exists directly under the master file. 

In one advantageous embodiment of the invention, Thus the expression "relates" used above corresponds for 

wherein the data storage means of each user card of the type example to a search of the backtracking type, 

has a hierarchical structure with at least three levels and has 10 In one advantageous embodiment of the invention, in the 

at least the three following types of files: case of a file one of whose remote access conditions has the 

master file; "private access" value, the predetermined unique remote 

specified file, or subdirectory, placed below the master file; application whose remote commands can access the file is, 

elementary file, placed below one of the specialized files, provided it is successfully authenticated, the parent autho- 

known as parent specialized file, or directly below the 15 rized remote application of the file, namely the authorized 

master file, known as parent master file, remote application linked to the same elementary system file 

the system is characterized in that the data storage means of as that to which the parent specialized file or parent master 

each user card include at least one elementary system file, file of this file relates, 

each elementary system file being linked to an authorized and, in the case of a file whose remote access condition has 

remote application and storing a first piece of information 20 the "shared access" value, the at least two predetermined 

for locating the secret reference and the message authen- remote applications whose remote commands are able to 

tication mode that are associated with this authorized access the file are, provided they are successfully 

remote application to which it is linked, authenticated, all the authorized remote applications, 

and in that each enhanced message includes a second piece whatever the elementary system file to which each of 

of information for locating the elementary system file 25 them is linked. 

with which the authorized remote application to which the Thus, a parent application linked to a given elementary 

commands contained in the enhanced message belong is system has child files which are all the files whose parent 

linked, specialized file or parent master file (namely the specialized 

whereby the authentication means read, in each discrimi- file or master file under which they are directly placed) 

nated enhanced message, this second piece of elementary 30 relates to this given elementary system file, 

system file locator information in order to read, into the The set of child files of a parent application constitutes a 

elementary system file, this first piece of locator infor- logical file group, also called "security domain," specific to 

mation for the secret reference and message authentica- this application. In the case of an authorized remote access 

tion mode to be used to authenticate this discriminated of the "private" type, it is this security domain that delimits 

enhanced message. 35 the secured area specific to the application benefiting from 

Thus each elementary system file contains information for this privacy right, 

finding the elements needed to authenticate a message In other words, the security domain partly includes the 

transmitted by the remote application to the application to logically regrouping of the files according to their parent- 

which this elementary system file is linked. For its part, child dependency link with one application. Each applica- 

every message includes (in its header) information for 40 tion has its security domain. This in fact means assigning a 

finding the elementary system file to which its transmitting definition to the objects in the security domain of the 

application is linked so that it can be authenticated. application. The logical group of files can then be called 

Advantageously, each elementary system file is placed "application security domain" or "validity domain of the 

under a specialized file or directly under the master file, security schema of the application." 

whereby a maximum of one elementary system file can be 45 Advantageously, each elementary system file has a sepa- 

placed under each specialized file, and a maximum of one rate set of access control policy indicators, whereby each 

elementary system file can be placed directly under the access control policy indicator, for one of the applications, 

master file. indicates what access control policy, namely the first or 

Preferably, if no elementary system file exists under a another, is to be used with this application, 

specialized file or under the master file, then each elemen- 50 this separate set of access control policy indicators being 

tary file placed under the specialized file, whatever the value associated with all the files whose parent specialized file 

of the remote access conditions associated with this elemen- or parent master file relates to this elementary system file, 

tary file, is not accessible by any remote command, The invention also relates to a microprocessor user card of 

and if no elementary system file exists directly under the the type designed to cooperate with a terminal in order to 

master file, then each elementary file placed directly under 55 constitute a terminal device of a communications system, as 

the master file, whatever the value of the remote access referred to hereinabove, 

conditions associated with this elementary file, is not characterized in that each object of the data storage means 

accessible by any remote command. of the user card is also associated with at least one other 

This means that, to be accessible by a remote command, access control policy, each other access control policy 

a file must be placed under a specialized file or directly 60 being defined by a set of at least one alternative access 

under a master file to which an elementary system file condition, each alternative access condition of another 

relates. The meaning of "relates" will be specified below. given access control policy applying, for the object, to a 

Preferably, the second piece of information for locating g rou P of at least one command belonging to the applica- 

the elementary system file is an identifier of a specialized file tion or applications using the other given access control 

or a master file to which the elementary system file relates 65 policy, 

according to a predetermined search strategy in the data and in that each object is also associated with a plurality of 

storage means. access control policy indicators, whereby each access 
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control policy indicator indicates, for one of these 
applications, which access control policy, namely the first 
or another, is to be used with this application, the access 
control policy indicators being stored in the data storage 
means of the user card. 5 
The invention also relates to a secured, independent 
method for managing at least two remote applications by a 
microprocessor user card of the type designed to cooperate 
with a terminal to constitute a terminal device of a commu- 
nications system as referred to hereinabove, 3Q 
characterized in that, for each enhanced message received, 
the user card carries out in particular the following step: 
for each remote command contained in the enhanced 
message, verification of accessibility of this remote com- 
mand to the object concerned, this accessibility verifica- 
tion being based on a first or remote access control policy, 15 
to be used for this object concerned with this current 
remote application. 

Advantageously, for each enhanced message received, the 
user card also carries out a prior discrimination stage of the 
enhanced message in order not to continue with its process- 20 
ing unless the remote application, known as current remote 
application, to which the remote commands that it contains 
belong, is an authorized remote application. 

Advantageously, for each enhanced message received, the 
user card also carries out a prior step in which it authenti- 25 
cates the enhanced message, using a secret reference and a 
message authentication mode that are associated with the 
current remote application. 

Advantageously, at least some of the elements belonging 
to the following group can be created and/or updated and/or 30 
deleted by remote commands: 

the access condition values, particularly the first or remote 

access condition values, of the access control policies 

associated with each object; 
the access control policy indicator, particularly the first or 35 

remote access control policy indicator, to be used with 

each application for each object; 
the list of authorized remote applications, 
for each of the authorized remote applications in this list, the 

associated secret reference and message authentication «o 

mode; 

the elementary system file or files each linked to a separate 

authorized remote application, 
the elementary files (EF), specialized file (DF), and master 

file(MF). 45 

Thus, securization of access to objects according to the 
invention can be adapted to the changing needs of each 
application by an update or reconfiguration. 

Moreover, totally new applications (remote applications 
for example) can be added and supported by the smart card 50 
data storage. These new (remote) applications can benefit in 
the same way as the (remote) applications originally pro- 
vided from individual access security (for example with a 
specific authentication mode, a specific secret reference, and 
a specific security schema). 55 

Other characteristics and advantages of the invention will 
appear from reading the following description of a preferred 
embodiment of the invention provided as an indicative and 
nonlimiting example, and the attached drawings, wherein: 

BRIEF DESCRIPTION OF THE DRAWINGS 60 

FIG. 1 is a simplified flowchart of a particular embodi- 
ment of a cellular communications system according to the 
invention; 

FIG. 2 shows the structure of a particular embodiment of 65 
an enhanced short message according to the invention 
received by the SIM module of FIG. 1; 
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FIG. 3A shows schematically a particular embodiment of 
a data storage file in FIG. 1, with its associated access 
control polices and indicators; 

FIG. 3B shows an example of a plurality of indicators as 
associated with a file like presented in FIG. 3 A; 

FIG. 4 shows a first example of partitioning the data 
storage of FIG. 1 between several applications; 

FIG. 5 is a simplified flowchart of a particular embodi- 
ment wherein an enhanced short message is processed by the 
SIM module in FIG. 1; 

FIGS. 6 and 7 show in detail the application filtering and 
message authentication steps in FIG. 5; 

FIGS. 8 and 9 show in detail the command execution 
securizing step in FIG. 5; 

FIG. 10 shows a second example of partitioning the data 
storage in FIG. 1 between several applications. 

DETAILED DESCRIFHON OF THE 
INVENTION 

In the specific embodiment described below, solely as an 
example, the communications system is a cellular commu- 
nications system of the GSM type. It is clear however that 
the invention is not limited to this particular type of com- 
munications system but relates more generally to all com- 
munications systems having a plurality of terminal devices, 
each composed of a terminal cooperating with a micropro- 
cessor user card. 

For simplicity's sake, FIG. 1 show* only one mobile 
station (MS) 1 connected via a network 2 to a short message 
service center (SMS-C) 3. In actual fact, the system has a 
plurality of mobile stations 1, each being a terminal (ME) 4 
cooperating with a subscriber identify module (SIM module) 
5. 

Each SIM module 5 has in particular and classically: 

Command execution means 6, generally constituting a 
microprocessor; 

A program memory 7 storing the GSM application (or more 
generally, the principal telephone application) and possi- 
bly other local applications. This program memory 7 is for 
example a ROM memory; 

A data storage 8 supporting all the applications, local or 
remote, that the SIM module can execute. In other words, 
it stores all the data that the supported applications must 
be able to access while they are being executed. For 
example, it stores all the individual subscriber informa- 
tion (such as in particular his international subscriber 
number (IMSI identifier), his individual authentication 
key (Ki), and the authentication algorithm (A3)) neces- 
sary for executing the GSM application. This data storage 
8 is for example an EEPROM memory. 

Means (9) for storing and processing short messages 
received. Each short message received by terminal 4 is 
transmitted to SIM module 5 for processing by the GSM 
application. 

The SMS-C 3 employs an enhanced short message service 
(ESMS) that can send two types of short message to all the 
mobile stations 1, namely: 

"Normal" short messages which carry only raw data. The 
raw data in a normal short message is the information to 
be displayed on a screen of terminal 4, for example to 
request a subscriber to call back a different number; 

"Enhanced" short messages which carry commands belong- 
ing to so-called remote (or OTA) applications because the 
commands (also known as "remote") that constitute them 
are not stored in program memory 7 of the SIM module. 
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FIG. 2 presents the structure of a particular embodiment In remote access control policy no, 1, all the remote 

of an enhanced short message according to the invention commands (for simplicity's sake), whatever the application 

received by SIM module 5. This enhanced short message 20 to which they belong, are associated with the same remote 

has an SMS header 21 and a body 22 (TP-UD, standing for access condition (also for simplicity's sake) (rem. access 

Transfer Layer Protocol — User Data"). Remote commands 5 cond. 1). This remote access condition can for example 

Cmdl, Cmd2, etc. are placed in body 22. These are for assume one of the following values: "SHARED", 

example the classical commands (operational or "PRIVATE", and "NEVER." Thus, in this example it has the 

administrative), defined in standards GSM 11.11, ISO 78.16- value "SHARED." 

4, or EN 726-3 such as SELECT, UPDATE BINARY, The meanings of each of these three values will now be 

UPDATE RECORD, SEEK, CREATE FILE, CREATE explained: 

RECORD, EXTEND, etc. The other fields to which the "NEVER" (or "no access") means that file 30 is not acces- 

present invention relates are presented in detail in the sible by any command, whatever the application to which 

remainder of the description. this command belongs. 

Data storage 8 has a plurality of files. Classically, as "PRIVATE" (or "private access") means that file 30 is 

specified in GSM 11-11, each of these files is associated with accessible only by the commands belonging to a single 

a standard access control policy. This is defined by a 15 predetermined application; 

plurality of standard access conditions (AC standard), each "SHARED" (or "shared access") means that file 30 is 

applying to a separate command that can access this file. accessible by the commands belonging to at least two 

Each standard access condition can assume different values predetermined applications. 

(for example "ALWays", "CHV1", "CHV2", or "NEVer"). It will be noted that the three values "SHARED", 

None of these values is a function of the application to which 20 "PRIVATE", and "NEVER" are discussed in the description 

the command that wishes to access the file belongs. below with relation to FIGS. 9 to 11. 

The general principle of the invention also involves In remote access control policy no. 2, all the remote 

associating the following with each file of data storage 8: commands, whatever the application to which they belong, 

at least one other access control policy, each other access are associated with the same remote access condition (rem. 

control policy being defined by a set of at least one 25 access cond. 2). This remote access condition can for 

alternative access conditions, whereby each alternative example assume a value X taken from a different group of 

access condition of another given access control policy values (X, Y, Z, . . . ) than that referred to above (and 

applies, for this file, to a group of at least one command including the "SHARED", "PRIVATE", and "NEVER" 

belonging to the application or applications utilizing this values). 

other access control policy; and 30 As shown in FIG. 3B, for each of the supported applica- 
tor each of the supported applications, an access control tions (GSM appl., rem. appl. 1, rem. appl. 1', and rem. appl. 
policy indicator indicating which access control policy, 1 ") an access control policy indicator specifies which access 
i.e. standard or other, is to be used with this application. control policy is to be used with this application (namely 
For simplicity's sake, in the example presented in the standard ACP, remote ACP no. 1, or remote ACP no. 2). 
description below, the applications do not each have their 35 Thus, data storage 8 (and more specifically the set of files 
own other access control policy for each file (with their own using one and the same remote access control policy) can be 
set of alternative access conditions) but all completely share partitioned as a function of the various remote applications 
(i.e. for all their commands without distinction) two other supported by this data storage. 

common access control polices (each with a single access In the examine shown in FIG. 4, all the files in the data 

condition applying to all the commands). 40 storage use remote access control policy no. 1. Thus, viewed 

FIG. 3A shows schematically a particular embodiment of from the outside (i.e. for remote applications), the data 

a file 30 of data storage 8 with its access control policies 31 storage appears to be shared between one local application 

and associated indicators 32. The table in Appendix 1 and three remote applications (Loyalty, Payment, and 

presents for example a plurality of access control policies GSM). It will be noted that, in this example, the application 

such as those associated with this file 30. FIG. 3B presents 45 known as GSM is not local but remote, 

one example of a plurality of indicators 32 as associated with Data storage 8, in the embodiment shown as an example, 

file 30. has a three-level hierarchical structure and has the following 

In the following example of characteristics associated three types of files: 

with a file 30, described in relation to FIG. 3B and the table a master file (MF) or root directory; 

in Appendix 1, the following are the case: 50 a plurality of specialized files (DF, D¥ Loyalty DV Payment 

the SIM module supports the GSM application (single local Wgsm DF r<f/tfCom ) which are subdirectories placed under 

application) and three remote applications (rem. appl. 1, the master file; 

rem. appl. 1\ and rem. appl. 1"); a plurality of elementary files (EF), each placed either under 

there is one standard access control policy (standard ACP) one of the specialized files (in this case known as "parent 

and two remote access control polices (remote ACP no. 1 55 specialized file") or directly under the master file (in this 

and remote ACP no. 2). case known as "parent master file"). 

As shown in the table of Appendix 1, in the standard There are eight groups of files, namely, 

access control policy, each command (remote or local), Group A: Files accessible only by the commands of the 

whatever the application to which it belongs (GSM appli- Loyalty remote application, namely files whose remote 

cation or one of the remote applications) is associated with 60 access condition is "PRIVATE" for the Loyalty applica- 

a specific standard access condition (std. access cond. 1, std. tion; 

access cond. 2, . . . ). Classically, each standard access Group B: Files accessible only by the commands of the 

condition has a value belonging to the group including: Payment remote application; 

"ALWAYS" (access always authorized), "CHV1" or Group C: Files accessible by the commands of the Loyalty 

"CHV2" (access authorized after verification of the SIM 65 and Payment applications, namely the files whose remote 

module cardholder), and "NEVER" (access never access condition is "SHARED" by the Loyalty and Pay - 

authorized). ment applications; 
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Group D: Files accessible only by the commands of tbe message and makes sure that the TP-OA address of the 

Telecom remote application. message is identical to one of the TP-OA addresses in the 

Group E: Files accessible by the commands of the Telecom elementary login file 60. 

and Loyalty remote applications; FIG. 6 also illustrates the fact that, for each TP-OA 

Group F: Files accessible by the commands of the Payment 5 address (namely each authorized remote application) of 

and Loyalty remote applications: elementary login file 60, the SIM module is able to access 

Group G: Files accessible by the commands of the Telecom, a x{ 61 10 53 of three parameters in data storage 8: a scmi 

Payment and Loyalty remote applications; refereQCe (K u) m authentication mode (algo 

Group H: Files not accessible by the commands of any id) and a Vecirily schema. 

remote application, namely files whose remote access Hn 'L. .„ : . . . ^ ir , - . 

condition is "NEVER " s ' as lllustrated lD FIG - 7 » to out message 

It should be noted that'the group H files remain accessible authentication step 57 the SIM module uses the secret 

to the local application commands (provided the correspond- reference (Kappli) and the message authentication mode 

ing standard access conditions are verified). Likewise, the (algD-jd) that are associated with the message-transmitting 

group H files would be accessible to the remote application application, which it previously found in data storage 8. 

commands using the standard access control policy and not 35 Based on these two parameters (Kappli and algo_id) and the 

the remote access control policy (provided once again that message body data, the SIM module calculates for example 

the corresponding standard access conditions are verified). a cryptogram which must be identical to a cryptogram 

In relation to the flowchart in FIG. 5, we will now present (SMS-Cert) contained in the message body (see FIG. 2) in 

a particular embodiment of the method whereby the SIM order for message authentication to be successful, 
module processes an enhanced short message. For each 20 FIG. 8 shows step 511 in which execution of a command 

enhanced short message received, the SIM module carries is secured. Each command (or operation) of a message is 

out in particular the following steps: actually executed only if, according to the current security 

determines (51) whether the short message received (also status of the SIM module and the security information and 

called remote signal) is an enhanced short message (and attributes linked to the remote message -transmitting 

thus contains commands belonging to a remote 25 application, this command is authorized to access the files on 

application) or a normal short message; which it is working. This corresponds to the security schema 

continues processing (52) in the case of an enhanced short of the remote application. 

message and interrupts it (53) in the contrary case; The next part of the description presents a particular 

determines (54) whether the remote application transmitting embodiment of the invention wherein each authorized 

the message (i.e. the application whose commands are 30 remote application is associated with an elementary system 

contained in the message) is an authorized remote appli- file (EF SMS System) of data storage 8. 
cation (step 4 of application discrimination); Each elementary system file stores a first piece of infor- 

continues (55) processing in the case of an authorized mation that enables a pair (secret reference Kappli, message 

remote application and interrupts it (56) in the contrary authentication mode algo_id) to be located in data storage 

case; 35 8, this pair being associated with the authorized remote 

verifies (57) the authenticity of the message using a secret application to which this elementary system file is linked, 
reference and a message authentication mode that are In the present embodiment, this first piece of locator 

associated with the remote application transmitting the information about a pair (Kappli, algo__id) is an identifier of 

message (message authentication step 57); a specialized file under which the EF key_op file containing 

continues (58) processing if the authentication is correct and 40 this pair is located. The EF key_op file can itself store the 

interrupts it (59) if it is not; message authentication mode or just an algo_Jd pointer 

for each remote command contained in the message: indicating the storage location of this message authentica- 

it interprets (510) each remote command (also called tion mode. 

operation) contained in the message; In addition, each enhanced short message includes a 

verifies (511) accessibility of this remote command to the 45 second piece of information locating the elementary system 

file concerned (also called data field) as a function of the file to which the authorized remote application transmitting 

access control policy (standard or remote) to be used for the enhanced short message is linked, 
the file concerned with the remote application transmit- As shown in FIG. 2, in the present embodiment, this 

ting the message (command execution securization step second piece of elementary system file-locating information 

511); 50 is a "Login DF" identifier of a specialized file or a master file 

continues (512) processing if the remote command can to which this elementary system file relates, according to a 

access the file and, if not, goes on (513) to report- predetermined search strategy in the data storage means, 
generating step 515; For example, the SIM module implements a search 

executes the (514) command and mechanism of the backtracking type namely: 

generates (515) an execution report. 55 First, looking for an elementary system file in the specified 

FIGS. 6, 7, and 8 illustrate application discrimination step file or the current master file (namely the file indicated by 
54 and message authentication step 57. the "Login DF" identifier), 

As shown in FIG. 6, a file 60 of data storage 8 stores a list Then, if no elementary system file exists under the special - 
of authorized remote applications. This file 60, called ized file or current master file and if the "Login DF" docs 
elementary login file (or EF SMS Log) contains for example 60 not indicate the master file, looking for an elementary 
the addresses (TP-OA 1 to TP-OA n) of all the vendors of the system file directly under the master file, 
authorized remote applications. These addresses are called Thus, the SIM module reads the DF Id identifier in each 

TP-OA, with "OA" standing for Originating Addresses. filtered enhanced short message. From this "Login DF" it 

Also, each enhanced short message includes a "TP-OA" finds the elementary system file to which the authorized 

field in its header (see FIG. 2). 65 remote application transmitting the message is linked. In this 

Thus, in application discrimination step 54, the SIM elementary system file, the SIM module reads the identifier 

module identifies the remote application transmitting the of the specialized file in which the EF key_op file is located. 
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In this EF key_op file, it reads the (Kappli, algo_id) pair to 
find out the secret reference and message authentication 
mode to be used to authenticate the filtered enhanced short 
message. 

A maximum of one elementary system file can be placed 
under a specialized file. Likewise, a maximum of one 
elementary system file can be placed directly under the 
master file. 

If no elementary system file exists under a specialized file, 
or under the master file, the EF's placed under this special- 
ized file, whatever the value of the remote access condition 
associated with each of these elementary files, are inacces- 
sible by any remote command. 

Likewise, if no elementary system file exists either 
directly or under the master file, then the elementary files 
placed directly under the master file, whatever the value of 
the remote access condition associated with each of these 
elementary files, are inaccessible by any remote command. 

In cases where a file whose remote access condition has 
the value "PRIVATE" ("private access"), the only remote 
application whose remote commands can access this file is, 
provided its authentication is successful, the authorized 
remote application linked to the same elementary system file 
as that to which the specialized file or parent master file of 
this file relates. This authorized remote application is called 
the "parent application" of this file. 

If a file whose remote access condition has the value 
"SHARED" ("shared access"), the predetermined remote 
applications whose remote commands can access this file, 
are, provided their authentication is successful, all the autho- 
rized remote applications, whatever the elementary system 
file with which each of them is linked. 

FIG. 9 shows an example of a data storage 8 shared 
between two remote applications, namely: 
application "DF1" whose EF SMS System 91 relates to 

specialized file DF1; and 
the "MF" application whose elementary system file 92 

relates to master file MF. 

It will be noted that the messages transmitted by the 
"DF1" application have the value DF1 in their "Login DF' 
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The indicator of the access control policy, standard or 
remote, to be used with each application for each file; 

The list of authorized remote applications; 

For each of the authorized remote applications, the associ- 
ated secret reference and message authentication mode. 

The elementary system files EF SMS System each linked to 
a separate authorized remote application; 

The elementary files EF, specialized files DF, and master 
files ME 

FIG. 10 shows a second example of data storage 8 
partitioning. In this second example, data storage 8 is shared 
between four remote applications, namely: 
The "MF," application whose elementary system file EF 

SMS System 0 has activated security, relates to the master 

file; 

The "DF1" application, whose elementary system file EF 
SMS System 1 has deactivated security, relates to spe- 
cialized file DF1; 

The "DF2" application, whose elementary system file EF 
SMS System 2 has activated security, relates to special- 
ized file DF2; and 

The "DF4" application whose elementary system file EF 
SMS System 4 has deactivated security, relates to spe- 
cialized file DF4. 

"Activated security," for an elementary system file, means 
that the access control policy indicator contained in this 
elementary system file provides for use of a remote access 
control policy. Likewise, "deactivated security," for an 
elementary system file, means that the access control policy 
indicator contained in this elementary system file provides 
for use of a standard access control policy. 

It should be noted that specialized file DF3, and all the 
files placed under specialized file DF3, have "MF" for a 
parent application because there is no elementary system file 
under specialized file DF3. 

Each elementary file is associated with a remote access 
condition value ("never", "private", or "shared"). 

The table in Appendix 2 summarizes the various access 
situations (access authorized or refused) for each elementary 



field; this is the specialized file under which the elementary 40 file in FIG. 10, as a function of the specialized file (or master 
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system file 91 of this "DF1" application is located. 

On the other hand, the messages transmitted by the "MF" 
application have the value MF/DF2 in their "Login DF" 
field, not the value MF. In fact, since no elementary system 
file exists under this specialized file DF2, the SIM module 45 
will look in the master file (backtracking mechanism) for 
elementary system file 92 of this "MF" application. 

In this example, a distinction is made between the fol- 
lowing four groups of files: 

Group A': Files (DF1, EF2) accessible only by the com- 
mands of remote application "DF1," namely files whose 
remote access condition is "PRIVATE" for the "DF " 
application; 

Group B': Files (MF, DF2, EF5, EF7) only accessible by the 
commands of remote application "MF"; 

Group C: The files (EF3, EF1, EF6) accessible by the 
commands of remote applications "DF3" and "MF," 
namely the files whose remote access condition is 
"SHARED" for the "DF1" and "MF" applications; 

Group D': The files (EF4) not accessible by the commands 
of any remote application, namely the files whose remote 
access condition is "NEVER." 

It is important to emphasize that, by means of remote 
commands, it is possible with the present invention to create, 
update, or delete certain elements listed above, particularly: 65 
The values of the access conditions, standard or remote, and 

the access control policies associated with each file; 



file) specified in the message header. 

The following is indicated for each elementary file to be 
accessed by the command (first column): 
The remote access condition value associated with this file 

(first column also); 
The EF ESMS System to which the file to be accessed 

relates (second column); and 
The safety status (activated or deactivated) of this EF ESMS 
System (second column also). 

For each specialized file (or master file) specified in the 
message header, the parent specialized file (or master file) of 
the elementary system file where message authentication is 
carried out is indicated. It will be noted that no message 
authentication is done for specialized files DF1 and DF4, 
55 whose elementary system files (1 and 4 respectively) each 
have deactivated security. 

This table clearly shows that: 
If an elementary system file exists in a specialized file, an 
elementary file of this specialized file whose remote 
access condition is "PRIVATE" cannot be accessed 
through a remote command contained in an authenticated 
message in another specialized file; 
If no elementary system file exists in a specialized file but 
exists in the master file, an elementary file of this spe- 
cialized file whose remote access condition is "PRIVATE" 
cannot be accessed through a remote command contained 
in an authenticated message in another specialized file, 
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different from the master file and itself containing an 
elementary system file; 

If no elementary system file exists in a specialized file, nor 
in the master file, no message can be authenticated under 
this specialized file and an elementary file of this special- 5 
ized file, whatever its remote access condition, cannot be 
accessed through a remote command (in other words, if 
no elementary system file is attached to a file, all remote 
access_through a remote command_Js prohibited); 

In all cases, an elementary file whose remote access condi- 10 
tion is "SHARED" can be accessed through a remote 
command contained in a message which is being authen- 
ticated. 

For simplicity, we will note below: 
"LA" (for "Login Appl."): The elementary system file is 
relating to the specialized file DF specified in the message 
header, and 

"PA" (for "Parent Appl."): The elementary system file that 
relates to the file to be accessed. 

More generally, security can then be fully and formally 20 
described with the following seven rules: 
Rl. If no PA file can be found, Then remote access is 

prohibited. 

R2. If a PA file is found but the remote access condition of 
the file to be accessed is "PRIVATE: 
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Then remote access is prohibited. 

R3. If a PA file is found and the remote access condition of 
the file to be accessed is "PRIVATE" and the PA file is not 
the same as the LA file: 

Then remote access is prohibited. 

R4. If a PA file is found and the remote access condition of 
the file to be accessed is "PRIVATE" and the PA file is the 
same as the LA file, and security is deactivated in the LA 
file: 

Then remote access depends on the standard access condi- 
tions of the file. 

R5. If a PA file is found and the remote access condition of 
the file to be accessed is "PRIVATE" and the PA file is the 
same as the LA file, and security is activated in the LA 
file: 

Then remote access is authorized. 

R6. If a PA file is found and the remote access condition of 
the file to be accessed is "SHARED" and security is 
deactivated in the LA file: 

Then remote access depends on the standard access condi- 
tions of the file. 

R7. If a PA file is found and the remote access condition of 
the file to be accessed is "SHARED" and security is 
activated in the LA file: 

Then remote access is authorized. 



Appendix 1 



Access Control 
Policy (ACP) 



Application 



Command 



Access 
Condition 
Access Condition Value 



Standard ACP 



any 
any 



command (rem or !oc) 1 
command (rem or loc) 2 



std. acc. cond. 1 ALWAYS 
std. acc. cond. 2 CHV1 



any command (rem or loc) k std. acc. cond. k NEVER 

remote appl. remote command 1 
1 remote command 2 



remote command m 

remote ACP no. remote appl. remote command 1* remote access SHARED 

1 V remote command 2* condition 1 



remote command m 1 
remote appl. remote command 1 " 
1" remote command 2" 



remote command m" 
remote appl. remote command 1 
1 remote command 2 



remote ACP no. 
2 



remote appl. 
V 



remote command m 
remote command 1' 
remote command T 



remote access 
condition 2 



remote appl. 

r 



remote command m' 
remote command 3 " 
remote command 2" 
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-continued 



remote command m" 



Appendix 2 



DF specified in ESMS header 



File lo be 




MF 


DF 2 


DF 3 






accessed/ 




DF parent of EF SMS Syst. where 


DF 1 


DF 4 


remote access 


EF SMS System 


message authentication done 


no message 


conditions 


concerned 


MF 


DF 2 


MF 


authentication 


EF 01 (MF) 


EF SMS Syst 0 (MF) 


aUlHUI L6CU 


f 

re use 


au wo rizcu 


refused 


refused 


private 


sec. activated 












EF 02 (MF) 


EF SMS Syst 0 (MF) 
sec. activated 


authorized 


■ 

authorized 


authorized 




• 














EF 03 (MF) 


EF SMS Syst 0 (MF) 


refused 


retused 


retused 


refused 


refused 


never 


sec. activated 












EF 11 (DF 1) 


EF SMS Syst 1 (DF 1) 


refused 


refused 


refused 


* 


refused 




sec. deactivated 












EF 12 (DF 1) 


EF SMS Syst 1 (DF 1) 


authorized 


authorized 


authorized 




» 


shared 


sec. deactivated 












EF 13 (DF 3) 


EF SMS Syst 1 (DF 1) 


refused 


refused 


refused 


refused 


refused 


never 


sec. deactivated 












EF 21 (DF 2) 


EF SMS Syst 2 (DF 2) 


refused 


authorized 


refused 


refused 


refused 


private 


sec. activated 












EF 22 (DF 2) 


EF SMS Syst 2 (DF 2) 


authorized 


authorized 


authorized 


• 


• 


shared 


sec. activated 












EF 23 (DF 2) 


EF SMS Syst 2 (DF 2) 


refused 


refused 


refused 


refused 


refused 


never 


sec. activated 












EF 31 (DF 3) 


EF SMS Syst 0 (MF) 


authorized 


refused 


authorized 


refused 


refused 


private 


sec. activated 












EF 32 (DF 3) 


EF SMS Syst 0 (MF) 


authorized 


authorized 


authorized 


• 




shared 


sec. activated 












EF 33 (DF 3) 


EF SMS Syst 0 (MF) 


refused 


refused 


refused 


refused 


retused 


never 


sec. activated 












EF 41 (DF 4) 


EF SMS Syst 4 (DF 4) 


refused 


refused 


refused 


refused 


* 


private 


sec. deactivated 












EF 42 (DF 4) 


EF SMS Syst 4 (DF 4) 


authorized 


authorized 


authorized 


* 


* 


shared 


sec. deactivated 












EF 43 (DF 4) 


EF SMS Syst 4 (DF 4) 


refused 


refused 


refused 


refused 


refused 


never 


sec. deactivated 













■ authorized if standard access condition fulfilled 



What is claimed is: 

1. Communications system of the type having a plurality 
of terminal devices (MS), each including a terminal (4) 
cooperating with a microprocessor user card (5), 

each user card including data storage means (8) including 
a plurality of objects, this data storage means (8) 
serving to support at least two different applications, 
the user card including means (6, 7) for executing 
commands belonging to these applications, 

each object included in the data storage means of a user 
card being associated with a first access control policy 
defined by a set of first access conditions, each of these 
first access conditions applying, for the object, to a 
group of at least one command belonging to the appli- 
cation or applications using this first control access 
policy, 

characterized in that each object is also associated with at 
least one other access control policy, each other control 
access policy being defined by a set of at least one 
alternative access conditions, each alternative access 
condition of another given access control policy 
applying, for this object, to a group of at least one 
command belonging to the application or applications 
using this other given access control policy, 

and in that each object is also associated with a plurality 
of access control policy indicators, each access control 
policy indicator indicating, for these applications, 



45 



50 



40 

which access control policy, namely the first or another, 
is to be used with this application, these access control 
policy indicators being stored in said data storage 
means (8). 

2. System according to claim 1, characterized in that, for 
each object, at least one other access control policy is 
specific to one of the applications, each alternative access 
condition of this other specific access control policy 
applying, for said object, to a group of at least one command 
belonging to the single application using this other specific 
access control policy. 

3. System according to claim 1, characterized in that, for 
each object, at least one other access control policy is fully 
common to at least two applications, each alternative access 
condition of this other fully common access control policy 

55 applying* for said object, to a group of at least one command 
belonging to said at least two applications using this other 
fully common access control policy. 

4. System according to claim 1, characterized in that, for 
each object, at least one other access control policy is fully 
common to at least two applications, 

whereby some of the alternative access conditions of this 
other partially common access control policy apply, for 
said object, to a group of at least one command 
belonging to said at least two applications using this 
other common access control policy, 
whereby others of the alternative access conditions of this 
other partially common access control policy apply, for 
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said object, to a group of at least one command whereby said authentication means read, in each discrimi- 

belonging solely to one of said at least two applications nated enhanced message, said second piece of elemen- 

using this other common access control policy. tary system file locator information in order to read, 

5. System according to claim 1, of the type allowing into the elementary system file, said first piece of 
cellular communications, characterized in that said plurality 5 locator information for the secret reference and mes- 
of terminal devices is a plurality of mobile stations (1), said sage authentication mode to be used to authenticate 
user cards being subscriber identity modules 5). said discriminated enhanced message. 

6. System according to claim 1, including at least one 9. System according to claim 8, characterized in that each 
message service center, elementary system file is placed under a specialized file or 

cai -j j ofo Btmnm ~f * „„a t~ , n directly under the master file, whereby a maximum of one 

said data storage means ot a user card serving to support 10 , ' «. . ' , J . . . . . , 

, , . , . .... j.i . . elementary system file can be placed under each specialized 

at least one local application and at least one remote fi , and /Maximum of one e ^ ementary system 4 can be 

application of said user card, the commands being , aced direcll under ^ masler file 

termed local when they belong to said local apphca- 10 System according t0 claim % characterized in that, if 

tion or remote when they belong to said remote no elementary system file exists under a specialized file or 

application, 15 un der the master file, then each elementary file placed under 

each terminal (4) being able to receive messages of the said specialized file, whatever the value of the remote access 

normal or enhanced type transmitted by said message conditions associated with this elementary file, is not acces- 

service center, each user card (5) including means (9) sible by any remote command, and in that, if no elementary 

for storing and processing messages received by the system file exists directly under the master file then each 

terminal with which it cooperates, 20 elementary file placed directly under the master file, what- 

whereby the normal messages containing raw data con- ever the value of the remote access conditions associated 

stitute information to be furnished to the subscriber by with this elementary rile, is not accessible by any remote 

means of, in particular, a terminal display screen, with command. , . <A , ... 

the enhanced messages (20) containing remote ^ s y#* m . acc °r d ">8 to claim 10, characterized in that 

commands - - ^ sajd second p iece 0 f information for locating the elementary 

characterized'* that said data storage means (8) of each f| le ^ an identifier of a specialized file or a waster file 

j * , ,. , J ■ .u • J * 10 which said elementary system file relates according to a 

user card also store a list of authorized remote . . , . / . J . . , A 4 5 

a lications predetermmed search strategy in the data storage means. 

, . , ' j , . . , . 12. System according to claim U, characterized in that 

and in that each user card also includes enhanced message said predetermined ^ slrategy m the data storage means 

discrimination means enabling each enhanced message fa a backlrackin search mcchanism which looks to see 

containing remote commands not belonging to one of whe(her an clemcntary syslcm file exis(s under specialized 

said authorized remote applications to be blocked. fi , e or fflaster fik indica(ed b ^ idemifier and ;f nQ and 

7. System according to claim 6, characterized in that said if the idemifier does QOl indicate , he master fi , , ooki tQ 
data storage means of each user card also store for each of see whe , her an element tem file exists direcll under 
said authorized remote applications, a secret reference and me master file 

an associated message authentication mode, 13 Sys(em accordi , 0 claim 8> characterized that> m 

and in that each user card also includes discriminated the case of a file one of whose remote access has 

enhanced message authentication means enabling a lbe «p rivate access - value( said predetermined unique 

discriminated enhanced message to be authenticated ^ remote application whose remote commands can access said 

using the secret reference and the message authentica- flle iSj prov ided it is successfully authenticated, the parent 

tion mode associated, in said data storage means, with authorized remote application of said file, namely the autho- 

the authorized remote application to which the com- rized remote ap pii catioi) ii nked to the same elementary 

mands contained in said discriminated enhanced mes- system file ^ lha , t0 which , he parenl specialized file or 

sage belong. 4j parem mastef flle of said fl]e felateSi 

8. System according to claim 7 wherein, said data storage and jn , h fa (he ^ of a ffle whose remote access 
means of each user card havmg a hierarchical structure with has , he <<shared access „ ya]u sajd a( fe|8t 
at least three levels and having at least the three following mQ predetermined remote app i ications whose rem ote 

^P es 0 es ' commands are able to access said file are, provided they 

master file; 5Q are success fuiiy authenticated, all the authorized 

specified file, or subdirectory, placed below said master remote applications, whatever the elementary system 

file* file to which each of them is linked, 

elementary file, placed below one of said specialized files, 14. System according to any one of claim 8, characterized 

known as parent specialized file, or directly below said in that each elementary system file comprises a separate set 

master file, known as parent master file, 55 of access control policy indicators, whereby each access 

characterized in that said data storage means of each user control policy indicator, for one of said applications, indi- 

card include at least one elementary system file, each cates what access control policy, namely the first or another, 

elementary system file being linked to an authorized is to be used with this application, 

remote application and storing a first piece of locator said separate set of access control policy indicators being 

information about the secret reference and the message 60 associated with all the files whose parent specialized 

authentication mode that are associated with this autho- file or parent master file relates to said elementary 

rized remote application to which it is linked, system file, 

and in that each enhanced message includes a second 15. A secured, independent method for managing at least 

piece of locator information for the elementary system two remote applications by a microprocessor user card of the 

file with which the authorized remote application is 65 type designed to cooperate with a terminal (4) in order to 

linked to which the commands contained in said constitute a terminal device (1) of a communications system 

enhanced message belong, according to claim 6, 
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characterized in that, for each enhanced message "private access": if said object is accessible only by the 

received, said user card carries out in particular the commands belonging to a single predetermined 

following step: for each remote command contained in application, among said group of at least one command 

said enhanced message, verification of accessibility of to which said special alternative access condition 

this remote command to the object concerned, said 5 applies* 
accessibility verification being based on a first or 

remote access control policy, to be used for said object "shared access"; if said object is accessible by the corn- 
concerned with said current remote application. mands belonging to at least two predetermined 

16. Method according to claim 15, characterized in that, applications, within said group of at least one command 
for each enhanced message received, said user card also 10 to which said special alternative access condition 
carries out a prior discrimination stage (54) of said enhanced applies. 

message in order not to continue with its processing unless 20. System according to claim 19, characterized in that, 

the remote application, known as current remote application, for each ob ^ u al least one other access COQtrol policy> 

to which the remote commands that it contains belong, is an kaam as remQte access mM u ^ defined fe a M of 

authorized remote application. is . . J. . . 

17. Method according to claim 15, characterized in that, at le * st one ^mote access conditions, each remote access 
for each enhanced message received, said user card also cond,l,on applying, for said object to a group of at least one 
carries out a prior step (57) in which it authenticates said remole command belonging to the remote application or 
enhanced message, using a secret reference and a message applications using said remote access control policy, 
authentication mode that are associated with said current 20 and in that, for each object, only the access control policy 
remote application. Indicators each associated with one of the remote 

18. Method according to claim 15, characterized in that at applications is able to indicate said remote access 
least some of the elements belonging to the following group control policy. 

can be created and/or updated and/or deleted by remote 21. System according to claim 20, characterized in that, 

commands: 25 for each object, each remote access condition can assume the 

the access condition values, particularly the first or remote same values NEVER, PRIVATE, SHARED as said special 

access condition values, of the access control policies alternative access conditions. 

associated with each object; 22. Microprocessor user card of the type designed to 

the access control policy indicator, particularly the first or cooperate with a terminal in order to constitute a terminal 

remote access control policy indicator, to be used with 30 device of a communications system according to claim 1, 

each application for each object; characterized in that each object of the data storage means 

the list of authorized remote applications, of said user card is also associated with at least one other 

for each of the authorized remote applications in said list, access policy, each other access control policy being 

the associated secret reference and message authenti- 35 defined by a set of at least one alternative access condition, 

cation mode; each alternative access condition of another given access 

the elementary system file or files each linked to a control policy applying, for said object, to a group of at least 

separate authorized remote application, one command belonging to the application or applications 

the elementary, specialized, and master files. usin * said other access control P 0 ^' 

19. System according to claim 1, characterized in that, for 40 and in that each object is also associated with a plurality 
said object, the or at least one of the other access control of access control policy indicators, whereby each 
policies, known as second access control policy, is defined access control policy indicator indicates, for one of said 
by a set of at least one special alternative access conditions, applications, which access control policy, namely the 
each special alternative access condition being able to first or another, is to be used with this application, said 
assume in particular the following values: 45 access control policy indicators being stored in the data 

"no access": if said object is not accessible by any storage means (8) of said user card, 
command in said group of at least one command to 

which said special alternative access condition applies; ***** 
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